Opinions are like a%$*oles, everyone has them and they're usually full of &amp;*it! Argue with our Opinion writers or add your own. Who knows... a great opinion post could land you a featured opinion article!

Most disclosure policies come with pros and cons - which one to choose has everyone to decide for oneself. I have written a short article about disclosure policies for the Hakin9 magazine - my English version of it should be available in the coming issue, if anyone is interested.

So I put it to you: your opinion on public disclosure of new exploits?

“We must always think about things, and we must think about things as they are, not as they are said to be.” George Bernard Shaw

Public disclosure has never been in the best interest of any vendor for a lot of reasons. Firstly, it can be quite costly for them to run around and mop up their mess. Secondly, it can be quite embarassing. Thirdly, its almost always more economical for them to play damage control "condemn the researcher" than to do the right thing.

Let's take a theoretical look at what happens when a vulnerability is submitted to a vendor. Using MS as an example since we're speaking of them, let's go through the motions of submitting a bug. 1) Person in MSRC opens message and asks for more information. (n amount of time) 2) Person in MSRC acts to escalate 3) Other individuals on the team take a look at it. 4) Validation slash replication of exploitation takes place. 5) Buggy code in program investigated 6) Buggy code found and fixed 7) Marketing hype downplaying bug is created/generated Patch Tuesday (or better depending on the severity of the bug).

I figure my numbers in man hours here... Let's assume it took 2 months to determine what was going on and I use this number based on the following comment from the Daily Dave mailing list:

http://www.zerodayinitiative.com/advisories/upcoming/Shows how well that "responsible" disclosure is working out:ZDI-CAN-357 Microsoft High 2008-06-25, 720 days agoZDI-CAN-527 Microsoft High 2009-07-14, 336 days agoZDI-CAN-533 Microsoft High 2009-07-23, 327 days agoZDI-CAN-543 Microsoft High 2009-08-06, 313 days agoZDI-CAN-599 Microsoft High 2009-10-20, 239 days agoWhat's responsible about letting a vendor sit on a serious vulnerability for almost two years?

So two months is generous. Let's suppose 12 people took 2 hours per work week on my personal bug. 24 man hours (salary) per week * 8 weeks (2 months). 192 total hours down the tube so far. Now let's assume all these employees average a salary of $75,000.00 per year which is extremely low if you ask me, but I'm trying to be fair and theoretical here. At that salary divided by 52 weeks they'd make an estimated $1,442.31 per week or 36.06 per hour. $4,615.38 to fix this bug? Highly doubtful... That cost is ENORMOUSLY low but I'll roll with it anyway. So we have a loss of $4,615.38 multiplied by how many bugs per year here? At my rock-bottom prices, ZDI disclosed 18 advisories to date for MS which would total $83,076.84 in loss from ZDI alone.

Now be realistic about this, I figure a typical bug to average about $10-20,000.00 in costs to fix and I have read that MS pays to the tune of $1,000,000.00 and up per bug fix in R&D, fixing, pushing out, etc.. So again, if this holds true, my numbers are peanuts (obviously). Let's round things off to 10k per bug found and fixed... Using last year's data (2009):

At this rate, (10k per fix) MS just threw out $230,000.00 on bugs alone which is peanuts in comparison to their earning. Now much would you like to bet that the actual number for 2009 was probably 20x more? Remember, my numbers are ONLY based on exploit(ed)able issues. Imagine how much MS spends on investigating issues that don't produce results (false positives). So what do you think works better for companies like MS... Spending some marketing time downplaying security as a whole and security research and the researchers. Or actually providing fixes and or good code.

Business as usual dot dot dot Because businesses are in the business to (*drum roll*) make money, you have to understand the potential economic impact of a security hole being discovered and disclosed. For Microsoft, they're in the business to make money not throw it away so it boils down to damage control. If the bug triggers shaky confidence in Microsoft's stock a one percent drop means MS loses $2,310,540,000.00 at this moment based on its market cap. So you tell me, what would make more sense financially for you if you were in a business manager's shoes?

Last edited by sil on Fri Jun 18, 2010 10:03 am, edited 1 time in total.

As for me, I totally understand the business impact of patching (and thank you for backing up the numbers).

On the other hand, all that money is cost of doing business and is part of any software company. Microsoft just happens to be the big name and is the BIG target.

The case for public disclosure seems to just force the issue instead of allowing the company to self-regulate its patching schedule. I'm sure there's a measure of pride on both sides, but the company is the one that fronts the bill.

I suppose I never really realized this was such a big topic.

"Live as though you would die tomorrow, learn as though you would live forever."

As for me, I totally understand the business impact of patching (and thank you for backing up the numbers).

On the other hand, all that money is cost of doing business and is part of any software company. Microsoft just happens to be the big name and is the BIG target.

The case for public disclosure seems to just force the issue instead of allowing the company to self-regulate its patching schedule. I'm sure there's a measure of pride on both sides, but the company is the one that fronts the bill.

I suppose I never really realized this was such a big topic.

yatz, I tried to be responsive so that others may understand the numbers I get the impression there are a lot of newcomers and young individuals here who probably aren't aware of many security factors. The entire topic of full-disclosure, responsible disclosure, etc., has been argued for years on end.

My personal fave happens to be Marcus Ranum's responses on this http://www.ranum.com/security/computer_ ... closure-1/ I've always enjoyed and learned his methods of explaining things from an alternative perspective. He also happens to be a really cool guy even though there are times he writes things and I'm tempted to fire off an email and say... WTH.

Please take a quick minute or two to check out his paper. There is a lot of truth in what he says when it comes to security and "the fame"

sil wrote:My personal fave happens to be Marcus Ranum's responses on this http://www.ranum.com/security/computer_ ... closure-1/ I've always enjoyed and learned his methods of explaining things from an alternative perspective. He also happens to be a really cool guy even though there are times he writes things and I'm tempted to fire off an email and say... WTH.

I finally got around to reading this and man he makes a lot of sense. It's kinda what you already imagine is going on, but the way he says it is very direct. Doesn't sound like he has a lot of love for security researchers.

It would seem to me though that the only ones you hear about are those that fit the category described in the article. There are probably others out there that you don't hear about that really are in it for benefit. If there wasn't, open-source wouldn't be as popular.

"Live as though you would die tomorrow, learn as though you would live forever."

Personally, I am mostly against public disclosure. As sil's link by Ranum pointed, I strongly believe that fame and marketing are the motives behind public disclosure. I just could never agree that the so-called "benefits" of it can really be that beneficial.

In general though, I am not involved in exploitation (not yet, dunno what may happen later) and probably this is why I see things from this perspective.

I use the public disclosed information a fair amount, especially with POC. It's even more valuable if there are things in the wild as I've written a number of custom rules based on the disclosure that protect me in some cases better than what AV already does or in many many cases, what AV says it does. Without some of this information, it's difficult to tell how protected you really are.

There are lots of positives and negatives to both sides of this debate, but for me, I hope that the bad guys are not the only ones looking for bugs. The question really lies in, how does one disclose something "responsibly" when the vendor says it's not a problem. If you knew about it, and then someone else comes out with a 0day, were you responsible or irresponsible for not letting people know ahead of time how to be protected ?